How can I make authenticated Plugin?

I made ouath plugin. The user flow is below.

  1. Install the plugin
  2. Move to website for login
  3. Login success
  4. Redirect to the redirect URL
  5. API call to authorization_url
  6. Success

I have a question. The users make their account at the 2nd step, but I have to give the token to ChatGPT at the 5th step. How can I get the user information generated at the 2nd step?

On the official document, there is no mention getting the user information at the 5th step. Do you have any solution?

I’m not sure I follow. If you’re creating a new user (and saving to DB) in step 2, why can’t you then use that info when generating the access token in step 5?

If you’re using a third party for oauth (such as Auth0) then it should handle this all for you.

If you don’t want to lose time building this, you can give a try to PluginLab.ai, it’s free :slight_smile:

Yeah I know your service. You are great. But can you tell me the logic? How can I solve the problem?

because at step 5, I got the values from openai

grant_type’: ‘authorization_code’, ‘client_id’: ‘’, ‘client_secret’: ‘’, ‘code’: ‘’, ‘redirect_uri’: ‘https://chat.openai.com/aip/plugin-88ae40-8d9f-c19db05b7638/oauth/callback’)

There is no value about the user

I save the user at step 2, but I cannot access the user at step 5. Because there is no user information parametes from ChatGPT when authorization_url API called

You should have generated the code for chatgpt, which it then sends back to you to exchange for an access token. So it’s up to you to map the code to the user. e.g. Storing the one time code in your database with a mapping to the user id.

Here’s the oauth flow in full from your app’s perspective, where the client is ChatGPT:

  1. The authorization server receives a request from the client application to authenticate a user. This request includes a redirect URI, client ID, and scope of access.
  2. The authorization server then presents the user with a login screen and asks them to grant the requested permissions to the client application.
  3. If the user consents, the authorization server redirects the user back to the client application using the provided redirect URI. This redirect includes an authorization code as a parameter.
  4. The authorization server then waits for a request from the client application to exchange the authorization code for an access token. This request must include the authorization code, client ID, client secret, and redirect URI.
  5. Upon receiving this request, the authorization server verifies the provided information. If everything checks out, the authorization server sends back an access token.
  6. The authorization server may also receive requests from the client application to access the user’s data using the provided access token. The server verifies the access token and, if it’s valid, returns the requested data.

Note how in step 3 the authorization server (your app) redirects back and must include a code as a parameter. This code is then exchanged for an access token in step 4.

This is tricky to implement, so I highly recommend using a library or existing service for this.

1 Like

Wow you are genius and I’m really stupid. I should distinguish the user using the “code” parameter!!! Thank you so much!! I understand that!! Thank you!! Thank you so much

1 Like